ISA 2006 Publish Webserver - first access very slow

Hello,

I published a single Web-Server behind a ISA 2006 with a Web Server Publishing Rule.
When I try to access this site from external, it takes up to 15 seconds until the site displays.
But only the first access !! When I close my browser (even with clearing the history and cache) and open it again the site display within a second. Then I Close my browser and open it again after 15 to 30 minutes and the delay is again 10 to 15 seconds.

I deactivate the rule and create a new rule as Server publishing rule with only forward port 80 to my Webserver. That works great and without delays.

How can I troubleshoot this delay?

Thanks to all
LVL 3
Trinity99Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
How are you using DNS on the ISA box? the ISA should only use the internal DNS server adresses with no reference to external dns Ip addresses
0
Trinity99Author Commented:
We are using only internal DNS (Active Directory integrated) which resolve external addresses.

It seems that when the site is first accessed from an external source the ISA make some checks on the request and after some time the request is forwarded.
0
Keith AlabasterEnterprise ArchitectCommented:
can you post the output of an ipconfig /all from the ISA box?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Trinity99Author Commented:


Windows-IP-Konfiguration



   Hostname  . . . . . . . . . . . . : ITS01001

   Primäres DNS-Suffix . . . . . . . : groupsites.corp

   Knotentyp . . . . . . . . . . . . : Unbekannt

   IP-Routing aktiviert  . . . . . . : Ja

   WINS-Proxy aktiviert  . . . . . . : Ja

   DNS-Suffixsuchliste . . . . . . . : groupsites.corp



PPP-Adapter RAS-Server-(Einwähl-)Schnittstelle:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : WAN (PPP/SLIP) Interface

   Physikalische Adresse . . . . . . : 00-53-45-00-00-00

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 169.254.203.47

   Subnetzmaske  . . . . . . . . . . : 255.255.255.255

   Standardgateway . . . . . . . . . :



Ethernet-Adapter (Extern)_vLan1099_SchuWa:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : Intel(R) PRO/1000 MT-Netzwerkverbindung #3

   Physikalische Adresse . . . . . . : 00-0C-29-27-A8-A0

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 91.190.202.3

   Subnetzmaske  . . . . . . . . . . : 255.255.255.248

   Standardgateway . . . . . . . . . : 91.190.202.1

   NetBIOS über TCP/IP . . . . . . . : Deaktiviert



Ethernet-Adapter (Intern)_vLAN-Int0101_SchuWa:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : Intel(R) PRO/1000 MT-Netzwerkverbindung #4

   Physikalische Adresse . . . . . . : 00-0C-29-27-A8-AA

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 192.168.175.1

   Subnetzmaske  . . . . . . . . . . : 255.255.255.0

   Standardgateway . . . . . . . . . :

   DNS-Server  . . . . . . . . . . . : 192.168.175.20



Ethernet-Adapter (DMZ1)_vLAN-Int0102_Schuwa:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter #2

   Physikalische Adresse . . . . . . : 00-0C-29-27-A8-BE

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 192.168.176.1

   Subnetzmaske  . . . . . . . . . . : 255.255.255.0

   Standardgateway . . . . . . . . . :



Ethernet-Adapter (Mangement)_vLAN780_SchuWa-Mgmt:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

   Physikalische Adresse . . . . . . : 00-0C-29-27-A8-B4

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 10.252.175.3

   Subnetzmaske  . . . . . . . . . . : 255.255.255.248

   Standardgateway . . . . . . . . . :



PPP-Adapter ISAVPNSchuwaNBG:



   Verbindungsspezifisches DNS-Suffix:

   Beschreibung  . . . . . . . . . . : WAN (PPP/SLIP) Interface

   Physikalische Adresse . . . . . . : 00-53-45-00-00-00

   DHCP aktiviert  . . . . . . . . . : Nein

   IP-Adresse. . . . . . . . . . . . : 172.16.90.19

   Subnetzmaske  . . . . . . . . . . : 255.255.255.255

   Standardgateway . . . . . . . . . :

   DNS-Server  . . . . . . . . . . . : 172.16.10.2

                                       172.16.10.1

   NetBIOS über TCP/IP . . . . . . . : Deaktiviert

0
Keith AlabasterEnterprise ArchitectCommented:
That looks fine - do you have all of the ISA updates/service packs installed (Supportability update, SP1 etc)? Without them, ISA is not supported in a virtual environment. It should still work but it is not a supported configuration.

open the ISA gui, select monitoring - logging. Start query.

What do get in the log when using the web publishing rule? The main reasons why you 'normally' see the results that you report is when ISA is not able to resolve the box (the FQDN representing the box) being published. for example, when you use a server publishing rule, the traffic is simply forwarded to the internal IP addresses of the box being published. When you use the web publishing rule, it uses the fqdn - have you also added the internal IP address of the web server in the web publishing rule?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Trinity99Author Commented:
Seems that i have found my problem, but i don´t know why, because name resolution from ISA works fine and resolves the correct IP-Address.

Look at the screen shots attached.

Thank you.
bad.jpg
good.jpg
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.